if I set my hostname to xp2600c.nperfection.com it dies a horrible death: imtest xp2600c.linuxnet.nl S: * OK xp2600c.nperfection.com Cyrus IMAP4 v2.2.8 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE LOGINDISABLED AUTH=GSSAPI SASL-IR S: C01 OK Completed C: A01 AUTHENTICATE GSSAPI YIICHwYJKoZIhvcSAQICAQBuggIOMIICCqADAgEFoQMCAQ6iBwMFACAAAACjggEeYYIBGjCCARagAwIBBaENGwtMSU5VWE5FVC5OTKImMCSgAwIBA6EdMBsbBGltYXAbE3hwMjYwMGMubGludXhuZXQubmyjgdcwgdSgAwIBEKEDAgEHooHHBIHEN4TtfJeWZkQfDoLUNtN8fgnH1Cpt5u7IP5OVuLU65uFiv32g/NeqYPsT/E0ibtFRGJ/lnTqvTsf8/m8ZJgOFglDLf1NUdbygKREb8JBRy+QBq4l4KHWlf67iLHZXneR/KlSDbu3AGkpD3VVX6EaKlrf2+/IX4aUzQ7yYeOCMwRhZ9GaXkbxDL/0uemFuFkZzNJFyXweeYVLE27F/hLQupvpraUIO1PquKU6vTSqcEiIpHyE64l5fQewSjTvT7lflN7KId6SB0jCBz6ADAgEQooHHBIHEeacA2gF70pNfra36ygN0uuNzBBxAPTWCIUj7AAdpWTZq4Ly2dbqzfkmTLzz/KCMXQqFvqYTJzoNFSLnvi0t6otq18aR8y2qV38NL9mwManNjg4com+8wfRdANqO/J1c1dwhr7SEXQCsJnrQhuY1Uu7TLDdZRoIN91mb5pYfIa3LZ8b3/WxUZJQz3qURueC8lI6f9JTFFYDE8D5yHDO3iAaZVVJWKxuNRToXzhEibk3u7wqz7tx20FN9bNc+TAq+qDaao+Q== S: A01 NO generic failure Authentication failed. generic failure Security strength factor: 0
but xp2600c.linuxnet.nl however does pass the test! (thanks for the hint!) imtest xp2600c.linuxnet.nl S: * OK xp2600c.linuxnet.nl Cyrus IMAP4 v2.2.8 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE LOGINDISABLED AUTH=GSSAPI SASL-IR S: C01 OK Completed C: A01 AUTHENTICATE GSSAPI YIICHwYJKoZIhvcSAQICAQBuggIOMIICCqADAgEFoQMCAQ6iBwMFACAAAACjggEeYYIBGjCCARagAwIBBaENGwtMSU5VWE5FVC5OTKImMCSgAwIBA6EdMBsbBGltYXAbE3hwMjYwMGMubGludXhuZXQubmyjgdcwgdSgAwIBEKEDAgEHooHHBIHEyzttjW3ZnhD25slNWR1wrr82u4bkJ8DXPupVcyONYl4i/ojQT8d6zW3BLxZDUySHlQcQAgrB6oVeQE7LLK9WfS5wC7ei0p/l6fr1MRHf0uvxGY8zZueZ5PMJYBSH6rqG48x/MOAY1hr8OiS/ExwZiETDuIwfcvl2bH97voyxnhevoRx3mdfFOsZa0W9g5yUmPN7evPg9KX+4x5y+CPAP8DiwNrCE1Eyrd99HfLKnvW/PbV6+auCTw9hdl/SY53rJAcGjD6SB0jCBz6ADAgEQooHHBIHE5XWs5MuJ+s+K/82czyVGKEhpxkFjEv8Yud3mHPrXlbvh+htbnYjcFEb3QkPJpVK50gXm0ZP0G7s44+uI3J2XUlx9H5eyy0IFqNOiqD4+TBibTAf9klnuvNbYGspTPxDfah74koOXWlUong0cN9wf1Xqz+NCVMcX3eHkebo1uQhyvc/Bu+ibmNBuH/OMXZnfAmHadI9EYqjdFKwFonlmQ/ROYGgS4y4HA8XwqfrKjnfKCKNmsA84Fcw/FBcLl65/IsKiK/w== S: + YIGWBgkqhkiG9xIBAgICAG+BhjCBg6ADAgEFoQMCAQ+idzB1oAMCARCibgRsT7/hOc1MB912ryagnCDkDZixJnJzMlHxKzFAWkaV8E4mt8WeoxVHPBMDUaXOp8ybbScuLNrjgQGNHylvQSVWiGmnKp67cg+nwj8maKMXIZSYHRTZNKFwqaBvJk+A+UvGhe+H8cYJYGxoOruO C: S: + YD8GCSqGSIb3EgECAgIBBAD/////v68VJcY3id4KFBLlBN2metd0bgOLnSrjkfEBvAoGkT9W7hGsBwAQAAQEBAQ= C: YD8GCSqGSIb3EgECAgIBBAD/////MiDHXl7q31f0X2z7oD/1wfJ7yj9sS5ENMmrEeDulAENmQI/mBAAEAAQEBAQ= S: A01 OK Success (privacy protection) Authenticated. Security strength factor: 56 I am also able to login into cyradm now. now all that is left to find out is how to get this to work with virtual domains.... > That's strange. I certainly wouldn't contradict what you're > saying, but the behaviour of our Cyrus IMAP server seems exactly > the same as that which Mark had described. And the fix was to > ensure that the names were the same. > I does fix the problem, I however do have another theory in mind. kerberos maps dns --> realm names and nperfection.com isn't mapped to anything. currently it is like this. [realms] LINUXNET.NL = { kdc = xp2600c.linuxnet.nl:88 admin_server = xp2600c.linuxnet.nl:749 default_domain = linuxnet.nl } [domain_realm] .linuxnet.nl = LINUXNET.NL linuxnet.nl = LINUXNET.NL perhaps nperfection.com needs to be "mapped" to a kerberos realm... I guess I'll have to dig into the realm theory a little more then :D > I assume, then, that it has to do with our having a virtual > interface defined, rather than just a CNAME? The hostname that is > listed in our 'servername' parameter in /etc/imapd.conf is > configured on a virtual interface, it is not merely a CNAME for > the canonical FQDN of the host. I'll check that out too. > I can run 'imtest imap' (which is the virtual interface) and > successfully authenticate, whereas if I run 'imtest hostname' > with the canonical hostname of the IMAP server, the client > retrieves the proper imap/hostname service tickets, but the > connection is rejected by the IMAP server. The error message is: > > GSSAPI [SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context] > > I thought that this might be the same problem, but perhaps not? At least I am moving in the right direction, thanks you all for your help so far. Mark Hannessen --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html